MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93
SHA3-384 hash: 8ecf51e8b0999597bd130a9dce45fa8171e64dd2bbb3ae52879cf96d2f02134ca3026444bea38e7bfb3145e3171ed430
SHA1 hash: b2301f86289592744001f134ed7d0f35f56fb9f0
MD5 hash: 1ab8b226d47e45f5fa339798ccae49e8
humanhash: burger-item-romeo-august
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:734'208 bytes
First seen:2023-05-08 06:51:58 UTC
Last seen:2023-05-09 09:22:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6811KH6XZ0nj0Is0W1y7ymC492lkzfjGmb02QdKg8e:NPKH6J0hW1ymmC4GkH9Qd
Threatray 821 similar samples on MalwareBazaar
TLSH T122F4E02527B9BBA1ECB6C3FC6608A4016FB57D2057B6E6D84DCAE0CC5154F18FA10B93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc797927207_659869708?hash=QlwRceOu0t5mc6ZA6B6CPb76K5zt4EH554nPjch6G94&dl=G44TOOJSG4ZDANY:1683266431:z2wWeeJx93d0wb6BBQhZGEZdwhDsgQ4mzaZeUpniZCT&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
US US
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-08 06:54:26 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/b18aa649-a301-456e-ba87-cb1e9438f60e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387408/
Detection(s):
SecuriteInfo.com.Variant.Lazy.339156.22280.22061.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64589c1dd76c8c7b476e460e/reports/6484b354-e73b-48c8-b1f4-5fea081cab83/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14678abd-d5db-48b0-aa75-9d78c5ce784e
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228065
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 17:10:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dvgz42bpp3vif5vekfuv7jr4usx6zprtu66wondssm4cwuhfsjq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1302dd8497ba8909d81dce0a4069767bc358b0879443c1982ffea0292f9707e3
RaccoonStealer
2602293f954bbbcf9d3d6000c3bd7cc76cec8b29ae9aca6261afe4a3ba7bfe19
RaccoonStealer
2d6c9ac070f5bb55d66de498da4a8c26d377eb79d7917d03af6d3608e350ac08
RaccoonStealer
5fa5e7baf08438c75596491747f74e756630ec217d601c1ac9c33c3827f52a0d
RaccoonStealer
6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4
RaccoonStealer
96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9
RaccoonStealer
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
RaccoonStealer
d9fcc1602122022a5c2ad597168eed6137a55b2356d767f5a877083c99989561
RaccoonStealer
e94f95707bc1ee3c1516cce43846a594acf5a1024ae7a76cb34afe5639fe95b5
RaccoonStealer
+ 811 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:ea23912cd46ff68d5e144ebb6f4120ad stealer
Link:
https://tria.ge/reports/230508-hm3flabb6x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Malware Config
C2 Extraction:
http://94.142.138.133
Unpacked files
SH256 hash:
4cb06d840c76a6836735fe4fe80bf2d4f5d4e1a999231aa4ffa0b8558fa6142b
MD5 hash:
3931b52d0daef03364da891c233f32bf
SHA1 hash:
ff1f72db3a31e098aa73329d0237b9dcaeebd97d
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
SH256 hash:
ef7122a98eca35c197740b6d6e1905c446a9d65fd1580f8fb3274d85151e5245
MD5 hash:
f4ff5b1b1dc7d2cc8c440f83bce82f8b
SHA1 hash:
e15b4dd8354139fbfefc4c63bfde8311da9f226f
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
SH256 hash:
e3c0b6b7d2f15ac342a5437f20e04b60f8ad5d212635b7c53f54548c0d0428d7
MD5 hash:
e7c7840892bd6ce2c5e90a67c7108594
SHA1 hash:
b7448714a161ac9c072a995efe7f48c972436034
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
SH256 hash:
d6bd34d594ff0adc5e31a12d3b102a111cf1fe04f43016afb8feba1050cbf0ad
MD5 hash:
3b40bea4e00e62c3f8d4a56e34ec6aff
SHA1 hash:
23391bc7b1c98498f271caa43aa9b6bdf33cd1ff
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
SH256 hash:
f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93
MD5 hash:
1ab8b226d47e45f5fa339798ccae49e8
SHA1 hash:
b2301f86289592744001f134ed7d0f35f56fb9f0
Link:
https://www.unpac.me/results/c43b378a-f9a8-4dcf-a8fa-8e75dcab51f7/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0ea6cf3417b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/387408/

Comments